By default ZAP listens on localhost:8080. You can change default address
and port by going into Tools -> Options -> Local Proxies tab:
To test that network traffic interception works,
we will use a simple Java app:
There are few things to notice:
We use Apache HttpClient to perform http requests.
By default Apache HttpClient do not use proxy servers,
even if you set ZAP as a system wide proxy. We will deal
with this problem later. For now we will use useSystemProperties() method
on HttpClientBuilder class that will enable proxy support.
Right now we will concentrate on intercepting HTTP traffic.
I will show you how to deal with HTTPS connections later.
If we, now, run our application, we will notice that ZAP did not
intercept any traffic:
Indeed right now our application does not know that it should use
a proxy server. We may force it to use a proxy via JVM command line
or by dynamicaly setting system properties in code:
Whatever method you use, if you run the application again,
you should be able to see now a single intercepted request in ZAP:
You can remove previously recorded requests in ZAP by pressing Ctrl+N.
Intercepting traffic from proxy unfriendly apps
As I mentioned previously, Apache HttpClient ignores
proxy settings by default.
If we create our HttpClient using create() method:
HttpClient will ignore proxy settings no matter how we set them.
For dealing with cases like this, we may use
This project is a new reincarnation of old
proxychains util which is no
Please be aware of this difference. On my system apt-get install proxychains
installs proxychains and not proxychains-ng that we need here.
To install proxychains-ng I needed to download sources from GitHub
and compile them myself:
We also need to change default proxychains-ng configuration:
Now if we run our application using proxychains:
We will be able to intercept traffic using ZAP.
One of the limitations of proxychains is that it may not work for
subprocesses. If you app launches other applications they may
not be proxied at all.
Intercepting HTTPS traffic
So far, so good, but what will happen if we try to intercept
HTTPS traffic from a new, more secure, example:
We will get an exception similar to:
We get this exception because certificate returned by ZAP
proxy is not trusted.
To fix this problem we must generate a new ZAP root cert and add it
(temporarily) to Java keystore.
Generate a new cert and save it somewhere
(Tools -> Options -> Dynamic SSL Certificates):
Don’t forget to click OK.
Then add ZAP root certificate to Java keystore:
If we run our app again, we will be able to intercept an HTTPS request:
This again should work with proxychains-ng.
Sometimes to make it work you will have to uncommendproxy_dns
option in /etc/proxychains.conf file, that I earlier said to
comment out. Why is this sometimes needed, to be honest, I don’t know but
it works this way…
For security reasons after you finished your debugging session,
you should remove ZAP certificate from Java keystore:
Always generate a new ZAP proxy certificate
before adding it to Java keystore. If you must do this
often, I can advice you to create a script and/or bash alias to
make entire process more convenient.